Network and Storage Protocols

NFS exports to different sets of systems on the same SVM

__mattb__
852 Views

I seem to have misunderstood NFS Export Policies in ONTAP, or at least I can't
seem to get what I want to work. It seems to inherit the export policy "above" it.

I have a SVM with two volumes. The first is NFS exported to a bunch of hosts, I
wanted another volume, on the same SVM exported to a different host.

Host Group A should see Volume A
Host B should see Volume B

I thought I'd be able to do this by creating a new policy with the appropriate
rule, assign the policy to the volume and that would be it. I ran into problems
so I created a test SVM to reproduce the issue.

My test SVM has two export policies.

```
netapp::> vserver export-policy show -vserver test_vserver
Vserver Policy Name
--------------- -------------------
test_vserver default
test_vserver vmware_vc_backups
```

The default policy has no rules, the `vmware_vc_backups` does.

```
netapp::> vserver export-policy rule show -vserver test_vserver -policyname default -ruleindex 1
There are no entries matching your query.
```

```
netapp::> vserver export-policy rule show -vserver test_vserver -policyname vmware_vc_backups -ruleindex 1

Vserver: test_vserver
Policy Name: vmware_vc_backups
Rule Index: 1
Access Protocol: nfs3, nfs4, nfs
List of Client Match Hostnames, IP Addresses, Netgroups, or Domains: 1.1.1.1
RO Access Rule: any
RW Access Rule: any
User ID To Which Anonymous Users Are Mapped: 65534
Superuser Security Types: any
Honor SetUID Bits in SETATTR: true
Allow Creation of Devices: true
```

In this configuration, my client cannot mount the NFS volume. If I copy the rule to the default policy, it mounts just fine. I don't even have to change the export policy assigned to the volume.

Is this just the way it works or am I doing something wrong. It seems that I can't currently have 2 different volumes on the same SVM mounted to diverse clients without crossover.

 

1 ACCEPTED SOLUTION

AlexDawson
810 Views

Hi there!

 

Yes, clients must satisfy the entire set of export policies that apply to a path.

 

For your scenario, the default policy should allow read to all, and then you allow write and read to some for the sub folder policies.

 

/ -  Policy "default"

-/volume_A - Policy "subset_A"

-/volume_B - Policy "subset_B"

 

So in this example, if all clients can read by policy "default" but only 10.0.1.0/24 by policy Subset_A and 10.0.2.0/24 by policy Subset_B, 10.0.2.1 won't be able to read /volume_A

View solution in original post

1 REPLY 1

AlexDawson
811 Views

Hi there!

 

Yes, clients must satisfy the entire set of export policies that apply to a path.

 

For your scenario, the default policy should allow read to all, and then you allow write and read to some for the sub folder policies.

 

/ -  Policy "default"

-/volume_A - Policy "subset_A"

-/volume_B - Policy "subset_B"

 

So in this example, if all clients can read by policy "default" but only 10.0.1.0/24 by policy Subset_A and 10.0.2.0/24 by policy Subset_B, 10.0.2.1 won't be able to read /volume_A

Public